OF COMPUTATION Volume 72, Number 244, Pages 1987–2000 S 0025-5718(03)01515-1 Article electronically published on February 3, 2003

IRREDUCIBLE OVER FINITE FIELDS

JOACHIM VON ZUR GATHEN

Abstract. A necessary condition for irreducibility of a over a finite field, based on classical results of Stickelberger and Swan, is established. It is applied in the special case F3, and some experimental discoveries are reported.

1. Introduction Trinomials are with three nonzero terms. Their computational ad- vantages have frequently been pointed out. Ben-Or (1981) [2] writes, “In order to make residue computation mod g(x) easier one looks for special types of irre- n ducible polynomials such as g(x)=x + x+ a, a ∈ Zp.” In cryptography, Canteaut and Filiol (2001) [4] attack some stream ciphers via the of trinomials, and trinomials have been used as a highly efficient data structure for represent- ing nonprime finite fields in exponentiation and discrete logarithm computations (Schroeppel et al. (1995) [30], von zur Gathen & N¨ocker (2002) [17]). Schroeppel et al. (1995) [30] write, “The irreducible trinomial T (u) has a structure that makes it a pleasant choice for representing the field”, and De Win et al. (1996) [11], “The reduction operation can be speeded up even further if an irreducible trinomial is used.” Menezes et al. (1997) [25], §5.4.2, say that “choosing an irreducible trino- mial[...] canleadtoa fasterimplementationofthefieldarithmetic.” Theynow form part of the IEEE Standard Specifications for Public-Key Cryptography: “The reduction of polynomials modulo p(t) is particularly efficient if p(t)hasasmall numberofterms. [...] Thus,itisa commonpracticetochoosea trinomialforthe field , provided that one exists. If an irreducible trinomial of degree m does not exist, then the next best polynomials are the pentanomials” (IEEE (2000) [22], A.3.4, p. 80). Trinomials over finite fields also occur in other application areas. They are used for characterization and construction of almost perfect nonlinear mappings (Carlet et al. (1998) [5], Helleseth et al. (1999) [21]) and of orthogonal arrays (Munemasa (1998) [26]). They are related to words of weight 3 and the minimal distance of certain cyclic codes (Charpin et al. (1997) [8], Charpin et al. (1999) [9]) and yield linearly recurrent sequences with special properties (Goldstein & Zierler (1968) [18], Golomb & Gong (1999) [20]). The bulk of this literature deals with F2 as the ground field, but Albert (1957) [1] deals with general finite fields, and F3 occurs in Charpin et al. (1999) [9] and Helleseth et al. (1999) [21]. Special trinomials arise in connection with the additive q version of Hilbert’s Theorem 90. As an example, x −x−a ∈ Fq[x] is irreducible for

Received by the editor March 29, 2001 and, in revised form, April 17, 2002. 2000 Mathematics Subject Classification. Primary 11T06, Secondary 12Y05, 68W30.

c 2003 American Mathematical Society 1987

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 1988 JOACHIM VON ZUR GATHEN

∈ F× q − − q−1 F any a q ,andifα is a root of it, then x x aα is irreducible in q(α)[x]; see Ore (1934) [27] and Kaplansky (1972) [23], Theorems 32 and 52. The degrees 2qm+1 qm−1 (qm+1)/2 of the irreducible factors of x + x +1andofx + ax + b in Fq[x] are studied in Carlitz (1970) [6] and Estes & Kojima (1996) [13], respectively. The main results here give a necessary (but not sufficient) condition for irre- ducibility of trinomials over a finite field Fq, and its application to q =3(Theorems 4 and 8). Somewhat to our surprise, the experiments in F3[x] (see section 5) did not find any irreducible trinomial in some classes where the theory allows them. A classical result of Stickelberger (1897) [33] determines the parity of the number of irreducible factors of a squarefree polynomial in terms of the quadratic character of its . This was taken up by Dalen (1955) [10], and Swan (1962) [34] provides a simple formula for the discriminant of a trinomial. See also Golomb (1967) [19], Chapter 5, and Berlekamp (1968) [3], Section 6.6. Loidreau (2000) [24] n k has applied this to trinomials x  x  1 ∈ F3[x] and found congruences for n and k which, together with the number of times that 2 divides n and k, characterize the property of being squarefree and having an odd number of irreducible factors. Any irreducible polynomial enjoys this property, but not vice versa. Based on Swan’s results, we show by a different approach that indeed the prop- erty depends only on the residues of n, k, n1,andk1 modulo certain numbers which are determined by the field size, where n1 and k1 are n and k, respectively, divided by gcd(n, k). Although these congruences characterize the stated property exactly, they give, of course, only a necessary condition for irreducibility. In fact, some of the congruence classes contain only reducible polynomials. Applying this to F3,we find a short list of small trinomials whose factorization is sufficient to completely characterize the property. These take a few seconds on a workstation, once programmed. They even can, in principle, be checked by hand. However, the advantage of dele- gating the tedious checking of case by case to a machine is underlined by the fact that we found three corrections to Loidreau’s handcrafted table. The table plus three easy simplifications, namely reversal, the substitution of −x for x, and the recognition of “systematic” linear factors, reduce the work for listing all irreducible trinomials of a given degree to about 8.2% of the number of test polynomials if we checked each trinomial. For 2 ≤ n ≤ 1500, we found irreducible trinomials for all but 220 values. For these exceptions, irreducible quadrinomials were found. It is conjectured that irre- ducible polynomials with at most four terms exist in Fq[x] for all degrees and all q ≥ 3. Some of our experimental findings defy explanation (by this author, at least). The probability p of being irreducible for uniformly random monic polynomials in F3[x] of degree at most 1500 is about 1/1500 (see below). But for a random trinomial, it is larger than 4p,andover6p in F2[x]. On the other hand, there are some congruence classes in which our theory allows irreducible polynomials, but where there are none (in the range of our experiments). In 2, the property is nicely described by the results of Vishne (1997) [35]. It is interesting to note that a similar result holds over Q in a special case: Selmer (1956) [32] shows that xn + x + 1 is irreducible in Q[x] if and only if n 6≡ 2mod3. An extended abstract of this work has appeared in the Proceedings of ACM ISSAC 2001, editor Bernard Mourrain, pp. 332–336.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use IRREDUCIBLE TRINOMIALS OVER FINITE FIELDS 1989

2. Swan’s condition We fix the following notation: ≥ ∈ F× n>k 1 are , q is a power of the odd prime p, a, b q , f = xn + axk + b ∈ F [x], r is the number of irreducible factors of (1) q f in Fq[x], D ∈ Fq its discriminant, d =gcd(n, k), n1 = n/d,and k1 = k/d. The following two results from Swan (1962) [34] are fundamental for our question. Fact 2 (Swan (1962) [34]). In the above notation, we have the following for odd q.

(i) If f is squarefree, then r ≡ n mod 2 if and only if D is a square in Fq, − − − − (ii) D =(−1)n(n 1)/2 · bk 1 · (nn1 bn1 k1 − (−1)n1 (n − k)n1 k1 kk1 an1 )d. As Swan mentions, (i) goes back to Stickelberger (1897) [33]. It provides a necessary condition for irreducibility, and is, in fact, originally due to Pellet (1878) [28]. Dickson (1906) [12] proves this fact, apparently without being aware of the previous work. On our way to studying irreducibility, the following more general “Stickelberger” property of f ∈ Fq[x] is of central interest: (S) f is squarefree and has an odd number of irreducible factors.

Corollary 3. In the above notation, for odd q, f has property (S) ⇐⇒ D(q−1)/2 =(−1)n+1. Proof. It is well-known that f is squarefree if and only if D =6 0. Now we assume that D =0.Then6 D is a square if and only if D(q−1)/2 =1,and r odd ⇐⇒ (n is odd and D(q−1)/2 =1)or(n is even and D(q−1)/2 = −1). 

We denote by ν`(m) the multiplicity of a prime ` in any nonzero m.The following is the main result of this paper. Theorem 4. Let q be a power of the odd prime p, f = xn + axk + b with a, b ∈ F× ≥ · − q , n>k 1, d =gcd(n, k), n1 = n/d, k1 = k/d, m2 = p (q 1),and m1 =lcm(4,m2). Then the discriminant of f and property (S) depend only on the following residues:

n mod m1,kmod m2,n1 and k1 mod q − 1. ∗ ∗ Proof. We let D =disc(f) ∈ Fq. Also, we let n ,k be two further integers with ∗ ∗ ∗ n∗ k∗ ∗ n >k ≥ 1,r the number of irreducible factors of x + ax + b in Fq[x], D ∗ ∗ ∗ its discriminant and d ,n1,andk1 analogous to the quantities defined above. We ≡ ∗ ≡ ∗ ≡ ∗ − suppose furthermore that n n mod m1, k k mod m2,n1 n1 mod (q 1), ≡ ∗ − ∗ 6 and k1 k1 mod (q 1). The claim of the theorem is that D = D and, if D =0, that r ≡ r∗ mod 2. u v By Fermat’s Little Theorem, we have c = c for any c ∈ Fq and positive integers u, v with u ≡ v mod q − 1. It follows that the first two factors in Fact 2 (ii) for D equal those in D∗.Furthermore,n ≡ n∗ mod p and k ≡ k∗ mod p, and all the exponents in the third factor in D equal modulo q − 1 their analogues in D∗.(We note that all these exponents are positive integers.) It is now sufficient to show that d ≡ d∗ mod q − 1; then D = D∗, and Fact 2 (i) implies the second claim.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 1990 JOACHIM VON ZUR GATHEN

∗ ∗ Let ` be a prime divisor of q − 1, and λ = ν`(q − 1), µ = ν`(d), µ = ν`(d ). If µ ≥ λ,thenn∗ ≡ n ≡ 0mod`λ and k∗ ≡ k ≡ 0mod`λ imply that µ∗ ≥ λ.Now we suppose that µ<λ.Thenµ equals at least one of ν`(n)andν`(k). We assume λ that µ = ν`(n); the other case is analogous. Now n1 = n/d is a modulo ` , ∗ ≡ λ and so is n1 n1 mod ` .Thuswehave ∗ n n ∗ λ d = ≡ ∗ = d mod ` . n1 n1 Since this holds for any prime power divisor `λ of q − 1, we conclude that d ≡ d∗ mod q − 1.  Our assumptions imply that the actual value of D is fixed, while it would be sufficient to fix its quadratic character. But we do not see an interesting way of weakening the assumptions accordingly. In the case p = 2, one may assume (using reversion, as below) that exactly one of n and k is even. Then in the last factor of Swan’s formula for D,oneofthe two summands vanishes. This simplifies things considerably, and Vishne (1997) [35] has given a complete characterization of trinomials with property (S) in this case. Cazacu & Simovici (1973) [7] deal with roots of special trinomials in characteristic 2.

3. Two symmetries

Let s, k =0

Theorem 5. In the above notation, let g =gcd(q − 1,k1,...,ks−1). Then each F× − orbit of the action of q has size (q 1)/g. ∈ F× ∈ Proof. We let z q be a primitive element of the multiplicative group, f S, and j ∈ N.Thenwehave X X ki −jn j ki f = fzj ⇐⇒ aix = z ai(z x) 0≤i

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use IRREDUCIBLE TRINOMIALS OVER FINITE FIELDS 1991

The last condition does not depend on f. It follows that the kernel of the action is generated by z(q−1)/g and has g elements. Therefore each orbit has precisely (q − 1)/g elements.  As indicated below, several types of polynomials have property (S) but do not contain irreducible polynomials, because each member has a root in Fq.Wemight hope to rule out further types by finding roots in extensions of Fq. But the following result shows that this does not work.

Lemma 6. Let q be a power of the prime p, f ∈ Fq[x], β in some of Fq,andβ =06 . k0+im (i) Let k0 and m be nonnegative integers with m ≥ 1 and f(β)+β =0 0 0 for all i ≥ 0,andm = m/pνp(m).Thenβm =1. (ii) If, furthermore, m = m2 = p(q − 1) as in Theorem 4, then β ∈ Fq. Proof. (i) It is sufficient to take i =0andi = 1, subtract the two equations k m and factor out β 0 to obtain β =1.Ife is the degree of Fq(β)overFp and j = dνp(m)/ee, then by Fermat’s Little Theorem in Fq(β), 0 0 ej ej−ν (m) βm =(βm )p = βm·p p =1. (ii) The first part implies that βq−1 =1. 

4. The special case F3

The search for irreducible trinomials in F3[x] was the starting point for this work. This may be considered a worthwhile goal in itself. The special motivation for us is that irreducible trinomials furnish a representation of nonprime finite fields which is particularly efficient for exponentiation, which in turn is the primary operation in several cryptosystems (see von zur Gathen & N¨ocker (1997) [16], Gao et al. (2000) [15], von zur Gathen & N¨ocker (2002) [17]). In the last paper, σq(n) is defined as the minimal number of terms in irreducible polynomials of degree n in Fq[x], and it is conjectured that for all n ≥ 1, σ2(n) ≤ 5, and σq(n) ≤ 4forq ≥ 3. The conjecture has been verified for q =2andn<10 000 (see Golomb (1967) [19], chapter 5; Zierler & Brillhart (1969) [37]; Zierler (1970) [36]; Fredricksen & Wisniewski (1981) [14]; von zur Gathen & N¨ocker (2002) [17]). The experiments reported in this paper show its truth for q =3andn ≤ 1500. We set

(7) s =(n1 mod 2,k1 mod 2), where n1 = n/ gcd(n, k),k1 = k/ gcd(n, k).

Using a concise notation, s cantakethethreevalues11, 10, and 01, since n1 and k1 are not both even. n k Theorem 8. Let f = x  x  1 ∈ F3[x] be a trinomial. (i) f has property (S) if and only if the value of k mod 6 appears in Table 1, in column f and row n mod 12, possibly with a condition on s. (ii) If f is irreducible, then the value of k mod 6 appears nonitalicized in Table 1. Proof. We have 12 ·6·3 = 216 values of (n, k, s) to consider for each form of f.Some simplifications are possible. We assume that n ≡ n∗ mod 12 and k ≡ k∗ mod 6. ∗ ∗ If n is odd, then ν2(n)=ν2(n ) = 0, and ν2(k) > 0 if and only if ν2(k ) > 0. Thus s = s∗. Similarly, if k is odd, then s = s∗. In these 54 cases, there is

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 1992 JOACHIM VON ZUR GATHEN

Table 1. The values of k mod 6 for which the polynomial in F3[x] at the column head with 1 ≤ k

n mod 12 xn + xk +1 xn + xk − 1 xn − xk +1 xn − xk − 1 0 — 2, 4 — 2, 4 1 0, 1, 3, 4 0, 1, 3, 4 0, 1, 3, 4 0, 1, 3, 4 2 0, 2, 3, 5 1 0, 2, 3, 4, 5 1 3 4, 5 2, 5 1, 2 1, 4 4 — 0, 1, 3, 4, (2; 01, 10) — 0, 1, 3, 4, (2; 01, 11) 5 — 4 1, 4 1 6 1, 2, 4, 5 1, 5 1, 2, 4, 5 1, 5 7 — 2 2, 5 5 8 — 0, 2, 3, 5, (4; 01, 10) — 0, 2, 3, 5, (4; 01, 11) 9 1, 2 1, 4 4, 5 2, 5 10 0, 1, 3, 4 5 0, 1, 2, 3, 4 5 11 0, 2, 3, 5 0, 2, 3, 5 0, 2, 3, 5 0, 2 , 3, 5

only one relevant value of s.Ifn ≡ 2mod4 and k is even, then ν2(n)=1and ∗ ∗ ν2(k), ν2(k ) ≥ 1, so that s, s ∈{11, 10}. In these nine cases, there are two values of s, and in the remaining nine cases, three values of s. The total comes to 54·1+9·2+9·3 = 99 possibilities for (n, k, s). We first determine all possible values of (n mod 12,kmod 6), as described below. Then we factor 99 · 4 polynomials, one for each case, on a . (Each of them takes only seconds on a workstation.) The value is entered into Table 1 if and only if the test polynomial has property (S). Finally, we put those values in italics where the polynomial has 1or−1 as a root, namely the whole column xn + xk + 1 with 24 entries, and 18 further cases with the factor x − 1. These entries with a “systematic” linear factor are in italics. n k Now for an arbitrary trinomial f = x  x  1overF3, Theorem 4 guarantees that our test polynomial for (n mod 12,kmod 6,s) has property (S) if and only if f has it, and then the corresponding value appears in the table.  It is no surprise that Table 1 is invariant under monic reversal and the oper- F× ation of 3 , that is, the negation of x. Each column is also invariant under the substitution of (n, k)by(−n, −k)mod(12, 6); this is easy to explain.

Proposition 9. Assume the notation (1), m1 and m2 as in Theorem 4, and fur- ≤ ∗ ∗ ∗ ≡− ∗ ≡− ∗ ≡− thermore 1 k

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use IRREDUCIBLE TRINOMIALS OVER FINITE FIELDS 1993

Little Theorem now implies that ∗ n∗ n∗−k∗ n n n −k n u =(−n) 1 b 1 1 =(−1) 1 n 1 b 1 1 =(−1) 1 u, ∗ and similarly v =(−1)n1 v.Thus   ∗ ∗ ∗ d D u − v d =(−1)n =(−1)n ((−1)n1 ) =1.  D u − v

Loidreau (2000) [24] took Swan’s result over F3 and worked out, for general n and k, the necessary case distinctions. He found that the property under consideration depends only on n mod 12 and k mod 6. We turned this around, and first proved the latter result, then ran an experiment for each case. In order to compare with Loidreau’s results, we first note that ν2(n) >ν2(k) corresponds to s = 01, ν2(n)= ν2(k)tos = 11, and ν2(n) <ν2(k)tos = 10. We find that our table agrees with his results, except that for xn −xk +1 his values (3, 4) and (3, 5) for (n mod 12,kmod 6) should not be included, and that (7, 2) is missing. Is ours an “elegant” proof? Well, Theorem 8 refers to a messy table and there- fore cannot be considered elegant. Seiden (2001) [31] writes, “In the best of cir- cumstances, the computational method allows us to give the inelegant part of a proof, at which we would turn our noses up, to a computer for verification.” In some sense, we may have achieved this goal, by proving Theorem 4 and leaving the messy calculations to a computer.

5. Experiments

We computed all irreducible trinomials in F3[x] of degrees n ≤ 1500, and found some for each n ≥ 2 except for 220 values of n. Some statistics are given in Table 2. It is no surprise that the residue classes of n mod12withsparserowsinTable1are represented frequently. For each “exceptional” n, we found an irreducible quadri- nomial. Ree (1971) [29] proves that for any n, the number of irreducible trinomials xn + ∈ F ∈ F× x + a p[x]witha p tends to p/n for large p. Just like general polynomials, these special trinomials are irreducible with probability about 1/n. Can we expect something similar for general trinomials over F3 and growing n? Is irreducibility equidistributed except for the constraints imposed by Theorem 8? The answer is, No—there seem to be conditions that do not follow from the present theory. It is also quite unexpected that the probability to be irreducible is over four times as high for trinomials than for general polynomials, in our experimental range.

Table 2. The number #n of n with σ3(n) = 4 and 100i ≤ n< 100(i + 1) (top) and in each congruence class modulo 12 (bottom). The last row #k gives the number of nonitalicized values of k in each row of (1).

i 01234567891011121314 #n 6 10 14 9 17 18 17 15 17 17 18 15 20 12 14 n mod 12 01234567891011 #n 27 12 7 34 7 34 5 31 12 33 12 6 2 2 #k 4 85493 46493 458

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 1994 JOACHIM VON ZUR GATHEN

Table 3. Irreducible trinomials in F3[x]withdegreen ≤ 1500.

xn + xk − 1 n\k 012345 0 145,0,0r 145,0,0r 1 161r− 149r− 2 137r− 3 188r− 4 231,0,0r 251r− 121,0,0r 251r− 231,0,0r 5 158r− 6 158r− 158r− 7 160r− 8 229,0,0r 229,0,0r 241r− 106,0,0r 241r− 9 170r− 10 108r− 11 143r− 179r− xn − xk +1 n\k 012 345 0 1 −(1,0,) r−(1,0,) r−(1,4,) −(1,4,) 2 84,76r r(2,0,∓) 81,81 3 r−(3,2,) −(3,2,) 4 5 r−(5,4,) −(5,4,) 6 72,97r r(6,2,∓) 7 −(7,2,) r−(7,2,) 8 9 −(9,4,) r−(9,4,) 10 79,87r 75,75 r(10,0,∓) 11 −(11,0,) −(11,2,) r−(11,2,) r−(11,0,)

Table 3 counts the irreducible trinomials. A table entry is indexed by

(10) e =(n0,k0,s0,a,b)

with row index 0 ≤ n0 < 12, column index 0 ≤ k0 < 6, s0 ∈{01, 10, 11} and a, b ∈ {1}. We have condensed the table by applying the symmetries of Section 3. It turned out that only (a, b)=(1, −1) (top table) and (a, b)=(−1, 1) (bottom table) have to be considered. The subscript r means that monic reversal yields another entry with the same numerical value, and the subscript r− corresponds to three other entries obtained by monic reversal and the negation of x.Thevaluesofs are ordered as 01, 10, 11, and the values of k mod 6 are split into six columns 0,...,5. Thus the n k first entry 145,0,0r means that we found 145 irreducible trinomials x +x −1with n ≡ 0 mod 12, k ≡ 2 mod 6, and s = 01, so that e =(0, 2, 01, 1, −1), and none for s =10ors = 11. The subscript r points to another entry given by monic reversal and not shown in the table, namely 145,0,0 for xn − xk − 1withn ≡ 0 mod 12 and k ≡ 4 mod 6. Similarly, the entry 161r− says that 161 irreducible polynomials were found for e =(1, 0, 10, 1, −1), and the subscript r− points to the other three entries

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use IRREDUCIBLE TRINOMIALS OVER FINITE FIELDS 1995

(1, 1, 11, −1, −1), (1, 0, 10, −1, 1), and (1, 1, 11, −1, 1) obtained by monic reversal, by substituting −x, and by applying both symmetries, respectively. For each of these three entries, we also have 161 irreducible trinomials. In the bottom table of Table 3, the first entry −(1,0,) means that we have 161 irreducible trinomials for e =(1, 0, 10, −1, 1), just as for (1, 0, 10, 1, −1) obtained by negating x.Theentryr(2,0,∓) in the row n = 2 points to the (84, 76) irreducible trinomials xn − xk +1forn ≡ 2, k ≡ 0, and s =(10, 11). The condensation makes the tables somewhat shorter; for example, all xn − xk − 1 are obtained from some 0 xn +xk −1 by symmetry. Furthermore, necessarily duplicated values are eliminated and “accidentally” duplicated values (see below) are clearly visible. The two tables together correspond to the two middle columns in Table 1. Because of the condition 1 ≤ kν2(k)). We have no explanation for this phenomenon. We also observe several repeated values in Table 3; namely, the entries for (n, k, s, a, b) (12) n ≡ 0mod4=⇒ and (n, (n − k)rem6,s,a,b)areequal. Again, we do not know whether this is a coincidence. Open Question 13. Are (11) or (12) true in general? We also observed that trinomials are over four times as likely to be irreducible than general polynomials, in the range of our experiments. If Iq(n) denotes the number of irreducible monic polynomials f ∈ Fq[x]ofdegreen,then   1 X n qn I (n)= µ · qd ≈ , q n d n d|n and the probability for a random monic f of degree at most N to be irreducible is P   I (n) − X P1≤n≤N q q 1 1 n · d pq(N)= n = N+1 µ q ≤ ≤ q q − 1 n d 0 n N 1≤n≤N d|n q − 1 X 1 = µ(k) · q−N+ms (m), q − q−N k q k≤N m=bN/kc P d−m −1 − −1 ≥ where sq(m)= 1≤d≤m q /d.Wehavesq(m)=q sq(m 1)+m for m 2, −1 m ≤ sq(m) ≤ 1, and for large N   1 p (N) ≈ 1 − s (N). q q q We find

p3(1500) ≈ 0.00066 ≈ 1/1499.5.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 1996 JOACHIM VON ZUR GATHEN P · − − On the other hand, there are 4 2≤n≤N (n 1) = 2N(N 1) monic trinomials in F3[x]ofdegreeatmostN, and 12 498 monic irreducible trinomials of degree at most 1500, so that in this range a trinomial has a chance of 12 498 r = ≈ 0.00278 ≈ 1/359.82 2 · 1500 · 1499 to be irreducible. We have

r/p3(1500) ≈ 4.16739. Thus a random trinomial is over four times as likely to be irreducible than a random polynomial, in this range. For q =2,wehave 4575 p (1500) ≈ 0.00067 ≈ 1/1499,r= ≈ 0.004,r/p(1500) ≈ 6.1, 2 1 124 250 2

with r as above for F2 instead of F3. Hence for polynomials of degree up to 1500 in F2[x], trinomials are more than six times as likely to be irreducible as general ones. Open Question 14. What happens in general?

For e =(n0,k0,s0,a,b)andn ≡ n0 mod 12, the set of all trinomials correspond- ing to e is n k Sn(e)={x + ax + b ∈ F3[x]: k ≡ k0 mod 6,s= s0}, with s as in (7), and the number of irreducible ones is

tn(e)=#{f ∈ Sn(e): f irreducible}.

Theorem 8 says that tn(e) = 0 unless e appears nonitalicized in Table 1. Is irre- ducibility evenly distributed among these e? For N ∈ N and an entry e as in (10), we set X X −1 TN (e)=p3(N) tn(e) / #Sn(e), 2≤n≤N 2≤n≤N n≡n0 mod 12 n≡n0 mod 12

so that trinomials in Sn(e) are irreducible with probability p3(N) · TN (e), averaged over n ≤ N. Table 4 gives the relevant values of T1500(e). The missing values are given by the pointers in Table 3, or else are zero. For every n0 < 12, there is some e as in (10) so that the proportion of irreducible polynomials in Tn(e)isatleast fifteen times as high as in the set of all polynomials, within our experimental range.

Of the 288 = 12 · 6 · 4 possible values of (n, k, f) for Table 1, only 114 appear, four of them with a restriction on s. These restrictions occur in four cases, where n ≡ 4 mod 12 and k ≡ 2 mod 6, or n ≡ 8 mod 12 and k ≡ 4mod6.InTheorem15, we will show the following statistics for these restrictions. If we fix such an n and consider all such k with 1 ≤ k

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use IRREDUCIBLE TRINOMIALS OVER FINITE FIELDS 1997

Table 4. The relevant values of T1500(e).

xn + xk − 1 xn − xk +1 n\k 012345 024 0 20.7,0,0 20.7,0,0 1 15.6 14.4 2 13.1 16.3,14.7 15.7,15.7 3 18.0 4 33.5,0,0 24.1 17.4,0,0 24.1 33.5,0,0 5 15.2 6 15.2 15.2 13.9,18.5 7 15.4 8 32.7,0,0 32.7,0,0 23.1 15.3,0,0 23.1 9 16.3 10 10.4 15.3,16.6 14.3,14.3 11 13.7 17.0

F× The action of 3 hasorbitsofsize2/ gcd(2,k,n), and it is sufficient to consider only one representative from each orbit. The size is 2 unless both k and n are even, 1 when it is 1. The former occurs in 48 nonitalicized entries, the latter in 23 3 entries. 1 1 ≈ Thus on average we have a reduction by a factor of 47 3 /71 3 =71/107 66.4%. The total number of candidate trinomials will be close to 1 1 71 2 71 · · =23 3 2 107 3 out of the 288 possibilities, a reduction to about 8.2%. We next determine the gain that results from ruling out one of the possibilities s =11ors = 10 in four entries of Table 1. For i ∈{01, 10, 11},wedenotebyti(n) the number of integers k with 1 ≤ k

The first part of the next theorem shows that t10(n)=t11(n), and the ratio ν2(n) ν2(n) t(n)/t11(n)isabout2 (if 2  n). Its second part shows that this ratio is close to 6 on average. Thus the proportion t01 : t10 : t11 is about 4: 1: 1, on average.

Theorem 15. (i) Let n be a positive integer with n ≡ 4mod12,ande = ν2(n). Then n − (−2)e t (n)=t (n)= . 10 11 6 · 2e (ii) The ratio T (N)/T11(N) tends to 6,andmoreprecisely     − 42 log N ≤ T (N) ≤ 52 log N 6 1 + O( 2 ) 6 1+ + O( 2 ) . N N T11(N) N N

The proof is omitted. For 76 ≤ N ≤ 4000, the values of N · (T (N)/T11(N) − 6) are between −60 and 20. The corresponding results also hold in the other case of interest, where n ≡ 8 mod 12 and k ≡ 4mod6.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 1998 JOACHIM VON ZUR GATHEN

A heuristic estimate goes as follows. For a randomly chosen of degree n in Fq[x], the probability of it being irreducible is about 1/n.Ifwechoose nt many independently, then the probability that none is irreducible is about   1 nt 1 − ≈ e−t. n

2 There are roughly n(q−1) monic trinomials of degree n in Fq[x], and if irreducibility occurred about as often as for random polynomials (which it does not), we would −(q−1)2 find e for the “probability” that σq(n) ≥ 4. (Of course, σq(n) is a well- 2 defined integer, with no random choices involved.) The value e−2 ≈ 1.8% is much smaller than the rate of almost 15% we found for n ≤ 1500, and shows that this heuristic is not worth much. Not even slightly discouraged by this, we also apply the heuristics to quadrino- mials, and find the following upper bound for the “probability” that σq(n) ≥ 5for some n,   X n2(q−1)3/2 X 1 3 3 1 − ≈ e−n(q−1) /2 ≈ e−3(q−1) /2. n n≥3 n≥3 The last number evaluates to about 0.6 · 10−5 for q =3.

Acknowledgments The author thanks Olaf M¨uller for substantial help with the computations and the preparation of the tables, and an anonymous referee for helpful suggestions and the reference to Pellet’s paper.

References

[1] A. A. Albert (1957). On certain trinomial equations in finite fields. Annals of Mathematics 66(1), 170–178. MR 19:394d [2] M. Ben-Or (1981). Probabilistic in finite fields. In Proceedings of the 22nd Annual IEEE Symposium on Foundations of Computer Science, Nashville TN, 394–398. [3] Elwin R. Berlekamp (1968). Algebraic Coding Theory. McGraw-Hill, New York. MR 38:6873 [4] Anne Canteaut & Eric Filiol (2001). Ciphertext only reconstruction of stream ciphers based on combination generators. In Proceedings of Fast Software Encryption (FSE 2000), B. Schneier, editor, number 1978 in Lecture Notes in Computer Science. Springer-Verlag, New York. http://link.springer.de/link/service/series/0558/bibs/1978/19780165.htm [5] Claude Carlet, Pascale Charpin & Victor Zinoviev (1998). Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems. Designs, Codes and Cryptography 15, 125–156. MR 99k:94030 [6] L. Carlitz (1970). Factorization of a special polynomial over a finite field. Pacific Journal of Mathematics 32(3), 603–614. MR 41:1693 [7] C. Cazacu & D. Simovici (1973). A New Approach of Some Problems Concerning Polyno- mials Over Finite Fields. Information and Control 22, 503–511. MR 48:3925 [8] P. Charpin, A. Tietav¨ ainen¨ & Victor Zinoviev (1997). On binary cyclic codes with min- imum distance d =3.Problems of Information Transmission 33(4), 287–296. [9] Pascale Charpin, Aimo Tietav¨ ainen¨ & Victor Zinoviev (1999). On the Minimum Dis- tances of Non-Binary Cyclic Codes. Designs, Codes and Cryptography 17, 81–85. MR 2000h:94050 [10] K˚are Dalen (1955). On a theorem of Stickelberger. Mathematica Scandinavica 3, 124–126. MR 17:130a

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use IRREDUCIBLE TRINOMIALS OVER FINITE FIELDS 1999

[11] Erik De Win, Antoon Bosselaers, Servaas Vandenberghe, Peter De Gersem & Joos Vandewalle (1996). A Fast Software Implementation for Arithmetic Operations in GF (2n). In Advances in Cryptology: Proceedings of ASIACRYPT 1996, Kyongju, Korea, Kwangjo Kim, editor, number 1163 in Lecture Notes in Computer Science, 65–76. Springer-Verlag. ISSN 0302-9743. ftp://ftp.esat.kuleuven.ac.be/pub/cosic/dewin/asia96p103.ps.gz.MR 98g:94001 [12] L. E. Dickson (1906). Criteria for the irreducibility of functions in a finite field. Bulletin of the American Mathematical Society 13(1), 1–8. n [13] Dennis R. Estes & Tetsuro Kojima (1996). Irreducible Quadratic Factors of x(q +1)/2 + ax + b over Fq. Finite Fields and Their Applications 2(2), 204–213. ISSN 1071-5797. MR 97a:11196 [14] H. Fredricksen & R. Wisniewski (1981). On Trinomials xn + x2 +1 and x8l3 + xk +1 Irreducible over GF (2). Information and Control 50, 58–63. MR 84i:12013 [15] Shuhong Gao, Joachim von zur Gathen, Daniel Panario & Victor Shoup (2000). Algo- rithms for Exponentiation in Finite Fields. Journal of Symbolic Computation 29(6), 879–889. http://www.idealibrary.com/servlet/doi/10.1006/jsco.1999.0309.MR2002e:68152 [16] Joachim von zur Gathen & Michael Nocker¨ (1997). Exponentiation in Finite Fields: Theory and Practice. In Applied Algebra, Algebraic Algorithms and Error-Correcting Codes: AAECC-12, Toulouse, France, Teo Mora & Harold Mattson, editors, number 1255 in Lecture Notes in Computer Science, 88–113. Springer-Verlag. ISSN 0302-9743. MR 99c:68123 [17] Joachim von zur Gathen & Michael Nocker¨ (2002). Exponentiation using addition chains for finite fields. In preparation. [18] Richard M. Goldstein & Neal Zierler (1968). On Trinomial Recurrences. IEEE Trans- actions on Information Theory IT-14(1), 150–151. [19] Solomon W. Golomb (1967). Shift Register Sequences. Holden-Day Series in Information Systems. Holden-Day, Inc., San Francisco, California. With portions co-authored by Lloyd R. Welch, Richard M. Goldstein, and Alfred W. Hales. MR 39:3906 [20] Solomon W. Golomb & Guang Gong (1999). Periodic Binary Sequences with the “Tri- nomial Property”. IEEE Transactions on Information Theory 45(4), 1276–1279. MR 2000g:94026 [21] Tor Helleseth, Chunming Rong & Daniel Sandberg (1999). New Families of Almost Perfect Nonlinear Power Mappings. IEEE Transactions on Information Theory 45(2), 475– 485. MR 2000c:11201 [22] IEEE (2000). IEEE Standard Specifications for Public-Key Cryptography. Technical Report IEEE Std 1363-2000, Institute of Electrical and Electronics Engineers, Inc., 3 Park Avenue, New York, NY 10016-5997, USA. [23] I. Kaplansky (1972). Fields and Rings. University of Chicago Press, Chicago. MR 50:2139 [24] Pierre Loidreau (2000). On the Factorization of Trinomials over F3. Technical Re- port 3918, Institut national de recherche en informatique et en automatique (INRIA). http://www.inria.fr/RRRT/RR-3918.html. [25] Alfred J. Menezes, Paul C. van Oorschot & Scott A. Vanstone (1997). Handbook of Applied Cryptography. CRC Press, Boca Raton FL. MR 99g:94015 [26] Akihiro Munemasa (1998). Orthogonal Arrays, Primitive Trinomials, and Shift-Register Sequences. Finite Fields and Their Applications 4(3), 252–260. MR 99m:94029 [27] Oystein Ore (1934). Contributions to the theory of finite fields. Transactions of the Amer- ican Mathematical Society 36, 243–274. [28] A.-E. Pellet (1878). Sur la d´ecomposition d’une fonction enti`ere en facteurs irr´eductibles suivant un module premier p. ComptesRendusdel’Acad´emie des Sciences Paris 86, 1071– 1072. [29] Rimhak Ree (1971). Proof of a Conjecture of S. Chowla. Journal of Number Theory 3, 210–212. MR 43:3235; MR 45:3362 [30] Richard Schroeppel, Hilarie Orman, Sean O’Malley & Oliver Spatscheck (1995). Fast Key Exchange with Elliptic Curve Systems. In Advances in Cryptology: Pro- ceedings of CRYPTO ’95, Santa Barbara CA, Don Coppersmith,editor,num- ber 963 in Lecture Notes in Computer Science, 43–56. Springer. ISSN 0302-9743. http://theory.lcs.mit.edu/ dmjones/hbp/crypto/crypto95.html.MR98a:94029 [31] Steve Seiden (2001). Can a Computer Proof be Elegant? SIGACT News 60(1), 111–114.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 2000 JOACHIM VON ZUR GATHEN

[32] Ernst S. Selmer (1956). On the irreducibility of certain trinomials. Mathematica Scandi- navica 4, 287–302. MR 19:7f [33] L. Stickelberger (1897). Uber¨ eine neue Eigenschaft der Diskriminanten algebraischer Zahlk¨orper. Verhandlungen des ersten Internationalen Mathematiker-Kongresses, Z¨urich, 182–193. [34] Richard G. Swan (1962). Factorization of polynomials over finite fields. Pacific Journal of Mathematics 12, 1099–1106. MR 26:2432 [35] Uzi Vishne (1997). Factorization of Trinomials over Galois Fields of Characteristic 2. Finite Fields and Their Applications 3(4), 370–377. MR 98i:11106 [36] Neal Zierler (1970). On xn + x +1 over GF (2). Information and Control 16, 502–505. MR 42:5955 [37] Neal Zierler & John Brillhart (1969). On Primitive Trinomials (Mod 2), II. Information and Control 14, 566–569. MR 39:5521

Fakultat¨ fur¨ Elektrotechnik, Informatik, Mathematik, Universitat¨ Paderborn, D-33095 Paderborn, Germany E-mail address: [email protected]

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use